...
...
...
Back to Table of Contents
Back to CLI Configure Mode
Back to Address Context - CLI
Back to IPSec Security - CLI
Use this object to configure
...
IPsec Security Policy Database (SPD) for the
. If action
parameter is set to "protect", the SPD establishes the phase 2 criteria for the negotiation between ...
and the IKE peer. The successful completion of this negotiation results in a Security Association (SA).Command Syntax
Code Block |
---|
|
% set addressContext <addressContext name> ipsec spd <spd_name>
|
...
action <bypass | discard | protect>
|
...
...
...
...
...
...
mode <transport | tunnel>
precedence |
...
...
...
...
...
...
...
...
...
state <disabled | enabled> |
Command Parameters
...
...
|
Parameter | Length/Range | Description |
---|
|
...
addressContext
...
1-23
...
...
IPsec Security Policy Database (SPD) entry. The |
|
...
IPsec SPD is an ordered list of entries ("rules") that specify sets of packets and determine whether or not to permit, deny, or protect packets between the and the peer that is referenced from the entry. If the packets are to be protected, this entry references information that specifies how to protect them.You can configure up to 4,096 SPD entries. | action
| N/A | Action applied when packets processed by |
|
...
IPsec found matching the selectors of this SPD rule. |
|
...
discard – Specifies that the packets are dropped.
|
|
...
bypass – Specifies that the packets are bypassed as clear text.
|
|
...
protect – Specifies that the packets are protected by
|
|
...
- IPsec based on the protection parameters specified in the configured
|
|
...
- IPsec protection profile.
| localIpAddr
|
|
...
...
IPv6 address | Specifies the local IPv4 or IPv6 address of the SPD traffic selector. Default is 0.0.0.0. | localIpPrefixLen
| 0-128 | Specifies the local IP prefix length of the SPD traffic selector. Default value is 0. |
|
...
...
IPsec Peer protocol is set to “IKEv2” or “ANY”, localIpPrefixLen must be set to "32" for IPv4 and "128" for IPv6 because the |
|
...
does not support range-based parameters for IKEv2 selectors. | localPort
| 0-65535 | Specifies the local port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. | mode | N/A | Set the SPD mode type. transport – Use this mode to encrypt and authenticate the IP payload only. tunnel (default) – Use this mode to encrypt and authenticate the entire IP packet (both header and payload). This encrypted packet is encapsulated in a new packet containing a new IP header.
Notes: - This parameter is only applicable when
action is set to "protect. " - Transport mode is the recommended mode for LI configuration.
- Tunnel mode is recommended for SIP peering. Although transport mode is also supported for SIP peering, the use of transport mode requires the SBC's SIP signaling port IP address to be the same as the SBC's IP interface IP address.
| precedence
| 0-65535 |
|
...
A unique precedence (evaluation order) for this SPD. | protocol
| 0-255 | Specifies the IP protocol number of the SPD traffic selector. This parameter uses IANA protocol number assignment, that is, protocol number 6 represents TCP, protocol number 17 represents UDP. Zero indicates wildcard. Default value is 0. | remoteIpAddr
| N/A | Specifies the remote IPv4 or IPv6 address of the SPD traffic selector. |
|
...
Default is 0.0.0.0 | remoteIpPrefixLen
| 0-128 | Specifies the remote IP prefix length of the peer's SPD traffic selector. Zero indicates wildcard. Default value is 0. |
|
...
...
IPsec Peer protocol is set to “IKEv2” or “ANY”, remoteIpPrefixLen must be set to "32" for IPv4 and "128" for IPv6 because the |
|
...
does not support range-based parameters for IKEv2 selectors. | remotePort
| 0-65535 | Specifies the remote port of the SPD traffic selector. Zero indicates wildcard. Default value is 0. | state
| N/A | Administrative state of this SPD entry. disabled (default)enabled
|
|
...
displaylevel
...
1-64
...
Command Examples
Code Block |
---|
|
% set addressContext default ipsec spd SPD3 localIpAddr 10.16.230.2 localIpPrefixLen 32 remoteIpAddr 10.16.220.2 remoteIpPrefixLen 32 action protect protocol 17 state enabled precedence 102
% show addressContext default ipsec
spd SPD3 {
state enabled;
precedence 102;
localIpAddr 10.16.230.2;
localIpPrefixLen 32;
remoteIpAddr 10.16.220.2;
remoteIpPrefixLen 32;
protocol 17;
action protect;
} |